European Consumer Summit 2014 On-line and mobile payments

Dr Florent FrederixTrust & Security Unit, DG CONNECT, European Commission

1th of April 2014A. BORSCHETTE CENTRE , Brussels

Content

• What is mobile payment?

• How big are cyber security risks?

• What is the European Commission doing about it?•

What is mobile payment?

• Some examples• 1. Contactless m-payment with NFC mobile• 2. PayPal / Pre-paid card wireless payment• 3. M-payments & ATM transactions using QR • 4. M-payments using electronic currencies• 5. M-payments using Near Sound Data Transfer and

other technologies

m-payment with NFC mobile

• Options:• Mobile + NFC card

- Security equal to security of another NFC credit/debit card

• Mobile + secure SIM- Security higher than the security of another NFC credit/debit card

• Mobile + secure element in the cloud/software- Android 4.4 (kitkat) can drive the NFC hardware on your mobile phone- Security data not yet available but probably lower than NFC card

Blog.tesco.com

PayPal / Pre-paid card payment• Similar to PayPal(1) from a web browser. • Difference is 2 factor identification based on phone number and

pin code. No secure element.• Trusted Service Manager is PayPal that ensures link between

credentials of mobile phone holder and linked credit/debit accounts.

(1)PayPal used as one example. Description not complete

(2) Google’s brilliant plan to get millions to adopt its e-money system: Gmail www.qz.com March 27, 2014

Google e-money

M-payments & ATM using QR codes

• (1) Text emulation • Fake payment requests?• Security measures?

• (2) Real mobile QR payments

M-payments with e-currencies

• Issues:• Legal base• Trusted service manager? (the network?)

• (Security?)

M-payment with NSDT & and ….• Characteristics:

• Side channel attacks?• Interoperability?

How big are cyber security risks?

• — Security Concern reason for 69% of non-users.• — Share of m-banking consumers that are unbanked is 11%

(1) Consumers and Mobile Financial Services 2014, Board of Governors of the Federal Reserve, March 2014

Size of the market?(1)

Usage of different means of accessing banking services

How big are cyber security risks?

(1) Consumers and Mobile Financial Services 2014, Board of Governors of the Federal Reserve, March 2014

Age profile(1)

Use of mobile banking in the past 12 months by age(%)

• How secure?(1)

• Survey results

How big are cyber security risks?

(1) Consumers and Mobile Financial Services 2014, Board of Governors of the Federal Reserve, March 2014

What does the EU Commission?

• Data Protection directive/legislation• In place since 1995: Directive EC 95/46• New legislation under discussion with Parliament

to revise the directive into a refreshed legislation

• Network Information Security directive (NIS)• Initiative presented by EU commission• Directive under discussion in Parliament

• The Cyber Security Strategy• Complements the NIS directive• Links to H2020

Capabilities: Common NIS requirements at national level

NIS strategy and cooperation plan

NIS competent authority

Computer Emergency Response Team (CERT)

Proposal for a Directive on NISKey elements (1/3)

What does the EU Commission?

Cooperation: NIS competent authorities to cooperate within a network at EU level Early warnings and coordinated response

Capacity building

NIS exercises at EU level

ENISA to assist

Proposal for a Directive on NISKey elements (2/3)

What does the EU Commission?

• Risk management and incident reporting for:

Energy – electricity, gas and oil Credit institutions and stock exchanges Transport – air, maritime, rail Healthcare Internet enablers Public administrations

Proposal for a Directive on NISKey elements (3/3)

What does the EU Commission?

What does the EU Commission?• The Cyber Security Strategy

Thanks